WIRELESS NETWORK SECURITY
|
|
- Constance Charles
- 8 years ago
- Views:
Transcription
1 WIRELESS NETWORK SECURITY Much attention has been focused recently on the security aspects of existing Wi-Fi (IEEE ) wireless LAN systems. The rapid growth and deployment of these systems into a wide range of networks and for a wide variety of applications drives the need to support security solutions that meet the requirements of a wide variety of customers. This paper discusses traditional security methods, introduces two new enhancements that will soon improve upon WEP, focuses on some practical details of the 802.1x wireless security mechanism, addresses possible security concerns with 802.1x, and closes with a discussion of how to best secure your wireless network using Proxim ORiNOCO products with 802.1x solutions that are available today. Traditional Security Wireless security can be broken into two parts: Authentication and encryption. Authentication mechanisms can be used to identify a wireless client to an access point and vice-versa, while encryption mechanisms ensure that it is not possible to intercept and decode data. For many years, MAC access control lists have been used for authentication, and WEP has been used for encryption. Authentication ORiNOCO access points support MAC authentication of wireless clients, which means that only traffic from authorized MAC addresses will be allowed through the access point. The ORiNOCO access point will determine if a particular MAC address is valid by checking it against either a RADIUS server external to the access point or against a database within the nonvolatile storage of the access point. This is a somewhat weak authentication mechanism because it is can be circumvented, and because authentication is unilateral. It can be circumvented for two reasons. First, software exists to change the MAC address of some cards. Second, authentication is tied to the hardware that a person is using and not to the identity of the user. Therefore, it could be possible to steal a legitimate user s PC and gain illegal access to a network. Unilateral authentication means that the access point authenticates the user, but the user does not authenticate the access point. This unilateral authentication is a problem because an unsuspecting user could associate to a rogue access point and begin passing network usernames and passwords through the illegitimate access point. This would allow hacker to capture the unsuspecting user s credentials to gain access to other network resources. Encryption Much attention has been paid recently to the fact that Wired Equivalent Privacy (WEP) encryption defined by is not an industrial strength encryption protocol. Papers by Borisov 1 and Walker 2 have discussed the vulnerabilities of WEP. The Fluhrer 3 results have resulted in easy to mount 1 Brewer, Borisov, et al, " Security", 2 Walker, Jesse, "Unsafe at any Key Size: an analysis of the WEP encapsulation, November 2000 " 3 Fluhrer, Mantin, Shamir, Weaknesses in the Key Scheduling Algorithm of RC4, August ORiNOCO security paper v2.2 <1> Copyright 2003
2 passive attacks. 4. Despite these findings, WEP is still in general use today either because administrators are not concerned about hackers, or because the wireless network is secured by other means. Virtual Private Networking mechanisms (VPNs) are the most common means to secure wireless networks that are either using WEP encryption or no security at all. The most recent cracks have been implemented in the above referenced AirSnort program which exploits a specific weakness within WEP: weak initialization vectors (IVs). The actual WEP key that is used to encrypt user data is combined of two parts: a 24-bit IV and a 40, 104, or 128-bit user-defined key. The IV is combined with the user key to create the key that is used to encrypt user data. The weak IV problem was solved in ORiNOCO b products soon after the weakness was discovered, and the solution was labeled ORiNOCO WEPplus. ORiNOCO WEPplus enabled equipment chooses not to use these weak IVs during transmit cycles. The transmitting device determines IVs, and the receiving device just follows the transmitting device s instructions. This does not create any compatibility issues between ORiNOCO WEPplus equipment and other vendors less secure equipment. Because the algorithm only functions during transmit cycles, although there are no compatibility issues between ORiNOCO WEPplus and other vendors equipment, weak-key avoidance is only fully effective if ORiNOCO products are used on both ends of the transmission. Both client and access point must use ORiNOCO radios for WEPplus to be effective in both transmit and receive directions. Many wireless administrators elect to forgo WEP altogether and use VPN software for encryption. This option is preferable for public wireless hotspot providers that are trying to attract as many users as possible by keeping client configuration as simple as possible. Hotspot customers use VPN software to connect to their company s network. The VPN option is also preferable to many enterprise administrators because VPN solutions offer the best commercially available encryption strength. VPN software uses advanced encryption mechanisms, such as AES, so that decryption is virtually impossible. 4 ORiNOCO security paper v2.2 <2> Copyright 2003
3 Security Enhancements The IEEE, the organization that created the standard, is responsible for keeping the standard current. The IEEE membership includes many vendors that must follow a strict standards-making process and make compromises in order to agree on any final standard. This process takes a long time, so in order to address market requirements more quickly, the Wi-Fi Alliance has created a market standard called Wi-Fi Protected Access that will be implemented ahead of the i standard i The Security Task Group that is creating the i standard is working to specify stronger encryption algorithms for use in networks. Proxim is participating in this effort to ensure that our products will be compliant with the standard when it is ratified. In the current draft specification, a strengthened version of the RC-4 / per-frame encryption algorithm, and a 128-bit AES encryption algorithm are proposed. Improvements based on feedback from the cryptographic community continue to be incorporated into the draft. We expect that the IEEE i specification will be published at the end of Wi-Fi Protected Access 5 As an intermediate solution that can be applied to existing WLAN hardware, the Wi-Fi Alliance has adopted Wi-Fi Protected Access (WPA). Proxim will implement WPA on client and access point products and make this available in the first half of WPA is a specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems. Designed to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from, and will be forward compatible with the upcoming IEEE i standard. When properly installed, it will provide wireless LAN users with a high level of assurance that their data will remain protected and that only authorized network users can access the network. The Wi-Fi Alliance plans to begin interoperability certification testing on Wi-Fi Protected Access products starting in the first half of Wi-Fi Protected Access was created with several goals in mind: A strong, interoperable security replacement for WEP Software upgradeable to existing Wi-Fi certified client products Applicable for both home and large enterprise users Available immediately. To meet these goals, authentication and encryption were improved using parts of the i standard draft. Enhanced Data Encryption through TKIP To improve data encryption, Wi-Fi Protected Access utilizes the Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through these enhancements, TKIP addresses all of WEP s known vulnerabilities. 5 WECA: ORiNOCO security paper v2.2 <3> Copyright 2003
4 Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. Wi-Fi Protected Access user authentication is implemented using 802.1x and the Extensible Authentication Protocol (EAP). Together, these technologies provide a framework for strong user authentication. This framework utilizes a central authentication server, which employs mutual authentication so that the wireless user does not accidentally join a rogue network. Wi-Fi Protected Access and IEEE i Comparison Wi-Fi Protected Access will be forward compatible with the IEEE i security specification currently under development. Wi-Fi Protected Access is a subset of the current i draft and uses certain pieces of the i draft that are ready to bring to market today, such as 802.1x and TKIP. The main pieces of the i draft that are not included in Wi-Fi Protected Access are secure IBSS (Ad-Hoc mode), secure fast handoff (for specialized VoIP phones), secure de-authentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. Proxim WPAcompliant access points will be available, and Proxim client products will be upgradeable to WPA soon after the standard is ratified x Security Practical Details Unlike WPA and i, 802.1x is available and is widely deployed on wireless networks today. There are three primary ways to authenticate using 802.1x: shared secrets (username/password), certificates, and SIM cards. While this paper focuses on the shared secrets method, each authentication method has advantages and disadvantages 6 and the needs of individual deployments dictate which is used. ORiNOCO products support all three types of authentication, making it possible to retain existing authentication systems, or to maintain the most flexibility while designing new ones. 6 C. Ellison and B. Schneier, Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, ORiNOCO security paper v2.2 <4> Copyright 2003
5 Terms Understanding 802.1x requires knowing the names of the different components that make up an 802.1x-secured wireless network. Figure 1 shows the location role of each one of these terms in the authentication process. Supplicant: End User System seeking access to the network Authenticator: Controls access to the network (access point) Authentication Server (RADIUS Server) EAP: EAPOL PAE Basic Operation Authenticates the end user, negotiates key material with the end user, and controls access to the network via the authenticator. Extensible Authentication Protocol: A secure protocol for negotiating other security protocols. EAP Over LAN: The version of EAP that is used over wireless networks. Port Access Entity. PAEs are similar to toggle switches. When the switch is open, no traffic is allowed to pass except for 802.1x traffic. After authentication is successful, the switch closes and user data is allowed to pass. The supplicant negotiates the type of security protocol to be used with the authenticator using the EAP protocol. The properties of the different protocols that can be used across EAPOL and RADIUS are outlined in Table 1. We will discuss the practical use of these protocols later. Using the negotiated protocol, the supplicant provides credentials to the authentication server, and the authentication server provides credentials to the client. After each has been authenticated to the other, the security protocol is then used to negotiate session keys, which are used to encrypt user data. Common EAP types IEEE 802.1x, Port Based Network Authentication 7 uses the Extensible Authentication Protocol (EAP) as its authentication framework. EAP is a transport mechanism, and any defined EAP method can be used within EAP, enabling support for a wide variety of authentication credentials. 7 IEEE: ORiNOCO security paper v2.2 <5> Copyright 2003
6 Figure 1: EAP and 802.1x Common, standards based, non-proprietary EAP authentication methods on the market today include EAP-Transport Layer Security (TLS) 8, EAP-Tunneled TLS (TTLS) 9, and EAP-Protected EAP (PEAP). These methods support mutual authentication based on the two common ways to authenticate an end user or device: digital certificates and shared secrets (username/password). EAP-PEAP is often the easiest to implement because of free client support from Microsoft, and can be just as secure as EAP-TLS if passwords are kept secure. EAP-PEAP does not require the use of client certificates. EAP-TTLS is similar to EAP-PEAP because it does not require client certificates, but instead is based on client passwords. The disadvantage of EAP-TTLS is that it is not free: server and individual client licenses must be purchased from vendors such as Funk or Meetinghouse. EAP-TTLS became available in February of EAP-TLS requires certificates on both the RADIUS server and the wireless client. The distribution of certificates to each client can be challenging if the client-to-network administrator ratio is too high. All three EAP types above have been tested deployed with ORiNOCO access points and client cards. Other EAP types have also been tested and are in use, but they are not mentioned here because their use is not widespread. Table 1 shows that some 802.1x-based systems pass the username in the clear. In these cases, enduser anonymity is not provided. MD5 is particularly vulnerable because the username, machine name, and hashed password are sent in the clear. When a hash of the password is sent data is vulnerable to an offline dictionary attack. Any EAP type that sends either username or password in the clear is neither secure nor recommended. 8 Aboba, B., Simon, D., PPP EAP TLS Authentication Protocol, IETF RFC 2716, 9 Funk, P., Blake-Wilson, S., EAP Tunneled TLS Authentication Protocol (EAP-TTLS), 10 See ORiNOCO security paper v2.2 <6> Copyright 2003
7 EAP Type Open/ Proprietary Mutual Auth Authentication Credentials Supplicant Authenticator Key Material User Name RFC MD5 Open No Username/Pwd None No 1321 TLS Open Certificate Certificate 2716 TTLS Open Username/Pwd Certificate No IETF Draft PEAP Open Username/Pwd Certificate No IETF Draft SIM Open/GSM SIM IETF Draft AKA Open/UMTS USIM IETF Draft SKE Open/CDMA IETF Draft LEAP Proprietary Username/Pwd NA Table 1 EAP Types 802.1x Encryption Attacks like the one launched by AirSnort are the most troublesome for networks, however, they are also the easiest to prevent using two common mechanisms: ORiNOCO s weak key avoidance (WEPplus), together with the key rotation mechanism built into the 802.1x standard and ORiNOCO access points, make it possible to create a secure wireless network. In the existing pre-802.1x specification, neither key distribution nor key rotation mechanisms are specified. With the exception of MD5, all EAP types listed in Table 1 provide a mechanism for the establishment of a session key at the station and the RADIUS server. This session key provides a secure means to periodically transport new encryption keys to the station, so that the keys used to encrypt user data can continuously and securely change. ORiNOCO security paper v2.2 <7> Copyright 2003
8 Attacks against 802.1x A Arbaugh 11 demonstrated two attacks against 802.1x-enabled wireless LAN networks: session hijacking and man-in-the-middle. In addition to the 802.1x attacks described by Arbaugh, it is possible (and more likely) that a hacker might try to use a common AirSnort attack, described earlier in this paper. If encryption with rotating keys is used, none of the attacks described here can be a threat to users of ORiNOCO clients and access points. Session Hijacking Attack The session hijacking attack can only be performed on systems that are using 802.1x with encryption disabled. This is not a secure configuration, and Proxim recommends that encryption is always enabled with a key rotation period of less than 30 minutes. When the hijacked session attack is attempted on the EAP-TLS system, the attacker must 1. Wait until the client has successfully authenticated to the network. 2. Send a disassociate message to the client, on the legitimate access point s behalf, using the MAC address of the access point. 3. Send frames to the valid access point, using the MAC address of the valid client. The hijacked session attack assumes that no encryption is present, because if it were present, the radio perpetrating the attack would not be able to gain access to the network after the hijack because the access point would reject all packets that did not match an encryption key corresponding to a known user. There is not an easy way to decrypt a WEP key generated using 802.1x, so the hijacker cannot create encrypted packets. When no encryption is present, this attack will succeed, allowing the attacker to use the session until the next re-authentication interval. At the next re-authentication time, the attacker would not be re-authenticated. He would then hijack another valid session x wireless networks deployed with encryption enabled are not susceptible to this type of attack, and therefore it is not a concern. Man-in-the-Middle Attack The scenario used by the attacker to implement this attack is as follows: 1. Place a special rogue access point system to be within radio range of both a valid end user and a valid access point. This rogue system has the capability to simultaneously associate with a legitimate access point, while at the same time acting as an access point itself and allowing a legitimate user to associate to it. 2. Using the rogue system, associate to a valid access point as a client station. 3. Wait for a valid user to associate to the rogue system. 4. Transparently act as a repeater between the legitimate user and the legitimate access point, passing frame received from the user to the access point and vice-versa. As noted earlier, all EAP types except MD5 provide the ability to establish encrypted sessions. The man-in-the-middle attacker can observe this encrypted traffic, but cannot do anything malicious because it is encrypted. Encrypted traffic is not compromised by this attack and the attacker does not gain access to the network. The attacker only gains the ability to target a particular user for the denial 11 Arbaugh, W., Mishra, A., An Initial Security Analysis of the 802.1X Standard, ORiNOCO security paper v2.2 <8> Copyright 2003
9 of service attack, which could be more easily perpetrated by a regular access point disconnected from any network. When encryption is not used, the man in the middle will be able to see the user s traffic. This would have also been possible with a network sniffer. Network sniffers can see network traffic of other users, but if that traffic is encrypted, that traffic is useless to any hacker. Therefore, man-in-the-middle type attacks are not a concern. Choosing a Security Mechanism It is possible to compromise any security mechanism with enough brainpower, computer processing power, and time x offers greatly increased security measures over standard security. Maximum encryption strength today is offered by using VPN on top of a wireless network, however, 802.1x is a generally accepted method to implement wireless security in the enterprise. If a network must have the strongest encryption possible, the best solution is to use. If a more conventional and less restrictive method is appealing, use 802.1x. Implementing 802.1x requires supplicant software on the wireless station, and a special type of RADIUS server that is capable of 802.1x authentication. Together with an 802.1x-capable wireless client and access point, they make up a complete 802.1x solution. The following ORiNOCO products will function with the 802.1x solutions that will be discussed below: Wireless client card: Any ORiNOCO a, a/b combo, or b card Wireless Access Point: ORiNOCO AP-600a, AP-600b, or AP-2000 Today, there are three main commercially available RADIUS server solutions. The 802.1x-capable RADIUS server can interface to other authentication servers if the username and password database resides elsewhere. Microsoft s IAS server interfaces to only to Microsoft Domain and Active Directory servers, while Funk and Meetinghouse servers interface to both Microsoft and non-microsoft authentication databases. Listed below are to general combinations of RADIUS servers and supplicants that are used by Proxim customers. Proxim customers are not limited to only the solutions listed below: Solution 1: Microsoft-Centric Reason for choice: EAP type: RADIUS server: Supplicant software: Cost. Microsoft clients are free, and their servers are relatively affordable. PEAP. Microsoft only supports PEAP and TLS. TLS is unwieldy because client certificates must be installed on each machine. PEAP uses username / password authentication. Microsoft Windows 2000 Professional with Internet Authentication Server (IAS) and service pack 3 installed. IAS comes standard with Windows2000 Professional, but it must be explicitly selected during the installation process 802.1x upgrades available on Microsoft s web site for WindowsXP and Windows2000. Go to: If other client support is required, Funk and Meetinghouse have feature-rich PEAP clients that work with Microsoft IAS: ORiNOCO security paper v2.2 <9> Copyright 2003
10 Solution 2: Non-Microsoft Centric Reason for choice: Performance / features. In addition to supporting Windows 98 / ME clients, non-microsoft servers supports the widest range of password protocols and authentication databases, simplifying deployment by permitting the use of any existing authentication system for WLAN user authentication, including Active Directories, token systems, LDAP, and SQL databases. EAP type: TTLS. TTLS is more flexible than PEAP, and unlike TLS, it does not require client-side certificates. RADIUS server: Funk or Meetinghouse XP, 2k, ME, 98, Pocket PC 2002, Mac OS X, and Linux clients are available. Supplicant software: Client software is typically licensed on a per-client basis Conclusion AirSnort and similar types of attacks have proven WEP security provided by the standard insecure. The WLAN industry has responded by creating WPA and i to address these issues in the long term, though these security solutions are not available today. Most of today s security requirements can be met with 802.1x, which provides a solution that is effective and has not yet been broken. Funk, Meetinghouse, and Microsoft all offer 802.1x client and server solutions that are available today and provide security that is adequate for enterprise applications. ORiNOCO security paper v2.2 <10> Copyright 2003
Chapter 2 Wireless Networking Basics
Chapter 2 Wireless Networking Basics Wireless Networking Overview Some NETGEAR products conform to the Institute of Electrical and Electronics Engineers (IEEE) 802.11g standard for wireless LANs (WLANs).
More informationState of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture
State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationWhite paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points. http://www.veryxtech.com
White paper Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points http://www.veryxtech.com White Paper Abstract Background The vulnerabilities spotted in the Wired Equivalent Privacy (WEP) algorithm
More informationWIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS
January 2003 January WHITE 2003 PAPER WIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS With the increasing deployment of 802.11 (or Wi-Fi) wireless networks in business environments, IT organizations are
More informationWireless security. Any station within range of the RF receives data Two security mechanism
802.11 Security Wireless security Any station within range of the RF receives data Two security mechanism A means to decide who or what can use a WLAN authentication A means to provide privacy for the
More informationWi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003
Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003 2003 Wi-Fi Alliance. Wi-Fi is a registered trademark of the Wi-Fi Alliance
More informationIT-Sicherheit: Sicherheitsprotokolle. Wireless Security. (unter Benutzung von Material von Brian Lee und Takehiro Takahashi)
IT-Sicherheit: Sicherheitsprotokolle Wireless Security (unter Benutzung von Material von Brian Lee und Takehiro Takahashi) ! 61 ints 5 2 Po ss e c Ac 3 Built in Security Features!!!!!! Service Set Identifier
More informationWireless Security. New Standards for 802.11 Encryption and Authentication. Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.
Wireless Security New Standards for 802.11 Encryption and Authentication Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.com National Conference on m-health and EOE Minneapolis, MN Sept 9, 2003 Key
More informationWiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise
Michael Disabato Service Director Network & Telecom Strategies mdisabato@burtongroup.com Diana Kelley Senior Analyst Security & Risk Management Strategies dkelley@burtongroup.com www.burtongroup.com WiFi
More informationHow To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)
Wireless LAN Security with 802.1x, EAP-TLS, and PEAP Steve Riley Senior Consultant MCS Trustworthy Computing Services So what s the problem? WEP is a euphemism Wired Equivalent Privacy Actually, it s a
More information802.11 Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi Giulio.Rossetti@gmail.com
802.11 Security (WEP, WPA\WPA2) 19/05/2009 Giulio Rossetti Unipi Giulio.Rossetti@gmail.com 802.11 Security Standard: WEP Wired Equivalent Privacy The packets are encrypted, before sent, with a Secret Key
More informationWEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication
WLAN Security WEP Overview 1/2 WEP, Wired Equivalent Privacy Introduced in 1999 to provide confidentiality, authentication and integrity Includes weak authentication Shared key Open key (the client will
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,
More informationWireless Security for Mobile Computers
A Datalogic Mobile and Summit Data Communications White Paper Original Version: June 2008 Update: March 2009 Protecting Confidential and Sensitive Information It is every retailer s nightmare: An attacker
More informationIntroduction to WiFi Security. Frank Sweetser WPI Network Operations and Security fs@wpi.edu
Introduction to WiFi Security Frank Sweetser WPI Network Operations and Security fs@wpi.edu Why should I care? Or, more formally what are the risks? Unauthorized connections Stealing bandwidth Attacks
More informationAuthentication in WLAN
Authentication in WLAN Flaws in WEP (Wired Equivalent Privacy) Wi-Fi Protected Access (WPA) Based on draft 3 of the IEEE 802.11i. Provides stronger data encryption and user authentication (largely missing
More informationThe Importance of Wireless Security
The Importance of Wireless Security Because of the increasing popularity of wireless networks, there is an increasing need for security. This is because unlike wired networks, wireless networks can be
More informationWireless Technology Seminar
Wireless Technology Seminar Introduction Adam Worthington Network Consultant Adam.Worthington@euroele.com Wireless LAN Why? Flexible network access for your users? Guest internet access? VoWIP? RFID? Available
More informationSecurity in IEEE 802.11 WLANs
Security in IEEE 802.11 WLANs 1 IEEE 802.11 Architecture Extended Service Set (ESS) Distribution System LAN Segment AP 3 AP 1 AP 2 MS MS Basic Service Set (BSS) Courtesy: Prashant Krishnamurthy, Univ Pittsburgh
More informationHow To Protect A Wireless Lan From A Rogue Access Point
: Understanding Security to Ensure Compliance with HIPAA Healthcare is a natural environment for wireless LAN solutions. With a large mobile population of doctors, nurses, physician s assistants and other
More informationA Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2
A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2 1 Dept of CSE, P.A.College of Engineering 2 Dept of CSE, Srnivas institute
More informationConfiguring Security Solutions
CHAPTER 3 This chapter describes security solutions for wireless LANs. It contains these sections: Cisco Wireless LAN Solution Security, page 3-2 Using WCS to Convert a Cisco Wireless LAN Solution from
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationImplementing Security for Wireless Networks
Implementing Security for Wireless Networks Action Items for this session Learn something! Take notes! Fill out that evaluation. I love to see your comments and we want to make these better! Most important:
More informationWireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2)
Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) SUNY Technology Conference June 21, 2011 Bill Kramp FLCC Network Administrator Copyright 2011 William D. Kramp All Rights
More informationWireless LAN Access Control and Authentication
Authors: John Vollbrecht, Founder Interlink Networks, Inc. 5405 Data Court, Suite 300, Ann Arbor, MI 48108, jrv@interlinknetworks.com Robert Moskowitz, Senior Technical Director TruSecure Corporation,
More informationEVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE 802.11i (WPA2)
EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE 802.11i (WPA2) Moffat Mathews, Ray Hunt Department of Computer Science and Software Engineering, University of Canterbury, New Zealand {ray.hunt@canterbury.ac.nz}
More informationWi-Fi in Healthcare:
Wi-Fi in Healthcare: Security Solutions for Hospital Wi-Fi Networks Wi-Fi Alliance February 2012 The following document and the information contained herein regarding Wi-Fi Alliance programs and expected
More informationWireless Networking Basics. NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA
Wireless Networking Basics NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA n/a October 2005 2005 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and Auto Uplink are trademarks
More informationLink Layer and Network Layer Security for Wireless Networks
Link Layer and Network Layer Security for Wireless Networks Interlink Networks, Inc. May 15, 2003 1 LINK LAYER AND NETWORK LAYER SECURITY FOR WIRELESS NETWORKS... 3 Abstract... 3 1. INTRODUCTION... 3 2.
More informationOptimizing Converged Cisco Networks (ONT)
Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability Implementing WLAN QoS Objectives Describe why WLANs need to support QoS policies in enterprise networks. Explain the issues
More informationWi-Fi Client Device Security & HIPAA Compliance
Wi-Fi Client Device Security & HIPAA Compliance Originally Published: September 2010 Updated: October 2012 A White Paper from Laird Technologies Connecting medical devices to a hospital s Wi-Fi network
More informationTable of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example
Table of Contents Wi Fi Protected Access 2 (WPA 2) Configuration Example...1 Document ID: 67134...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...2 Conventions...2 Background Information...2
More informationThe following chart provides the breakdown of exam as to the weight of each section of the exam.
Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those
More informationSecurity in Wireless Local Area Networks
Security in Wireless Local Area Networks T. Andrew Yang + Yasir Zahur 1. Introduction Following the widespread use of the Internet, especially the World Wide Web since 1995, wireless networking has become
More informationEnterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003
Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003 Executive Summary The threat to network security from improperly secured WLANs is a real and present danger for today s enterprises.
More informationIEEE 802.1X For Wireless LANs
IEEE 802.1X For Wireless LANs John Roese, Ravi Nalmati, Cabletron Albert Young, 3Com Carl Temme, Bill McFarland, T-Span David Halasz, Aironet Paul Congdon, HP Andrew Smith, Extreme Networks Slide 1 Outline
More informationCS 356 Lecture 29 Wireless Security. Spring 2013
CS 356 Lecture 29 Wireless Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationExtensible Authentication Protocol (EAP) Security Issues
Sotillo ECU 1 Extensible Authentication Protocol (EAP) Security Issues Samuel Sotillo, Dept. of Technology Systems, East Carolina University Abstract This document describes the Extensible Authentication
More informationAdvanced Security Issues in Wireless Networks
Advanced Security Issues in Wireless Networks Seminar aus Netzwerke und Sicherheit Security Considerations in Interconnected Networks Alexander Krenhuber Andreas Niederschick 9. Januar 2009 Advanced Security
More informationCisco SAFE: Wireless LAN Security in Depth
White Paper Cisco SAFE: Wireless LAN Security in Depth Authors Sean Convery (CCIE #4232), Darrin Miller (CCIE #6447), and Sri Sundaralingam are the primary authors of this white paper. Mark Doering, Pej
More informationWi-Fi Client Device Security and Compliance with PCI DSS
Wi-Fi Client Device Security and Compliance with PCI DSS A Summit Data Communications White Paper Original Version: June 2008 Update: January 2009 Protecting Payment Card Information It is every retailer
More informationSecurity in Wireless Local Area Network (WLAN)
The Journal of Mathematics and Computer Science Available online at http://www.tjmcs.com The Journal of Mathematics and Computer Science Vol.5 No.4 (2012) 320-330 Security in Wireless Local Area Network
More informationNXC5500/2500. Application Note. 802.11w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015
NXC5500/2500 Version 4.20 Edition 2, 02/2015 Application Note 802.11w Management Frame Protection Copyright 2015 ZyXEL Communications Corporation 802.11w Management Frame Protection Introduction IEEE 802.11w
More informationAgenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story
Wireless s June September 00 Agenda Wireless Security ผศ. ดร. อน นต ผลเพ ม Asst. Prof. Anan Phonphoem, Ph.D. anan@cpe.ku.ac.th http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University,
More informationCISCO WIRELESS SECURITY SUITE
Q&A CISCO WIRELESS SECURITY SUITE OVERVIEW What is the Cisco Wireless Security Suite? The Cisco Wireless Security Suite is an enterprise-ready, standards-based, wireless LAN (WLAN) security solution for
More informationKey Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards
White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the
More informationRecommended 802.11 Wireless Local Area Network Architecture
NATIONAL SECURITY AGENCY Ft. George G. Meade, MD I332-008R-2005 Dated: 23 September 2005 Network Hardware Analysis and Evaluation Division Systems and Network Attack Center Recommended 802.11 Wireless
More informationNetwork Access Security It's Broke, Now What? June 15, 2010
Network Access Security It's Broke, Now What? June 15, 2010 Jeffrey L Carrell Network Security Consultant Network Conversions SHARKFEST 10 Stanford University June 14-17, 2010 Network Access Security It's
More informationDeploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.
Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted
More informationSymm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2
Wi-Fi Security FEUP>MIEIC>Mobile Communications Jaime Dias Symmetric cryptography Ex: RC4, AES 2 Digest (hash) Cryptography Input: variable length message Output: a fixed-length bit
More informationA Threat Analysis of The Extensible Authentication Protocol
A Threat Analysis of The Extensible Authentication Protocol Lei Han Student #: 100304821 April, 2006 Supervised by Professor Michel Barbeau School of Computer Science Carleton University Honors Project
More informationTHE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING
International Journal of Electronics and Communication Engineering & Technology (IJECET) Volume 6, Issue 9, Sep 2015, pp. 65-74, Article ID: IJECET_06_09_008 Available online at http://www.iaeme.com/ijecetissues.asp?jtype=ijecet&vtype=6&itype=9
More informationUNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU
UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU ITMS: 26140230008 DOPYTOVO ORIENTOVANÝ PROJEKT Moderné
More informationParticularities of security design for wireless networks in small and medium business (SMB)
Revista Informatica Economică, nr. 4 (44)/2007 93 Particularities of security design for wireless networks in small and medium business (SMB) Nicolae TOMAI, Cluj-Napoca, Romania, tomai@econ.ubbcluj.ro
More informationThe next generation of knowledge and expertise Wireless Security Basics
The next generation of knowledge and expertise Wireless Security Basics HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com
More informationCertficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz
Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Overview: 1. Introduction I. PKIX 2. Basics I. PPP II. EAP III. 802.1x IV. X.509 certificate extensions
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationDESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland kamcderm@cisco.com
DESIGNING AND DEPLOYING SECURE WIRELESS LANS Karl McDermott Cisco Systems Ireland kamcderm@cisco.com 1 Agenda Wireless LAN Security Overview WLAN Security Authentication and Encryption Radio Monitoring
More informationWLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles
WLAN Security.. from this... Security Architectures and Protocols in Wireless LANs (Section 3) 1 2 WLAN Security.. to this... How Security Breaches Occur 3 War (wide area roaming) Driving/War Chalking
More informationWireless Local Area Network Security Obscurity Through Security
Wireless Local Area Network Security Obscurity Through Security Abstract Since the deployment of infamous Wired Equivalent Privacy (WEP), IEEE and vendors have developed a number of good security mechanisms
More informationvwlan External RADIUS 802.1x Authentication
6ABSCG0002-29B July 2013 Configuration Guide vwlan External RADIUS 802.1x Authentication This configuration guide provides an in-depth look at external Remote Authentication Dial-In User Service (RADIUS)
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the
More informationCertified Wireless Security Professional (CWSP) Course Overview
Certified Wireless Security Professional (CWSP) Course Overview This course will teach students about Legacy Security, encryption ciphers and methods, 802.11 authentication methods, dynamic encryption
More informationYour 802.11 Wireless Network has No Clothes
Your 802.11 Wireless Network has No Clothes William A. Arbaugh Narendar Shankar Y.C. Justin Wan Department of Computer Science University of Maryland College Park, Maryland 20742 March 30, 2001 Abstract
More informationWireless Network Standard and Guidelines
Wireless Network Standard and Guidelines Purpose The standard and guidelines listed in this document will ensure the uniformity of wireless network access points and provide guidance for monitoring, maintaining
More informationUsing IEEE 802.1x to Enhance Network Security
Using IEEE 802.1x to Enhance Network Security Table of Contents Introduction...2 Terms and Technology...2 Understanding 802.1x...3 Introduction...3 802.1x Authentication Process...3 Before Authentication...3
More informationProCurve Wireless LAN Security
ProCurve Wireless LAN Security Fundamentals Guide Technical Training Version 8.21 Contents ProCurve Wireless LAN Security Fundamentals Introduction... 1 Objectives... 1 Discussion Topics... 2 Authentication
More informationACC-232 2002, Cisco Systems, Inc. All rights reserved.
1 2 Securing 802.11 Wireless Networks Session 3 Session Information Basic understanding of components of 802.11 networks Please save questions until the end 4 Agenda Drivers for Wireless Security Wireless
More informationHow To Secure Wireless Networks
Lecture 24 Wireless Network Security modified from slides of Lawrie Brown Wireless Security Overview concerns for wireless security are similar to those found in a wired environment security requirements
More informationWireless Networks. Welcome to Wireless
Wireless Networks 11/1/2010 Wireless Networks 1 Welcome to Wireless Radio waves No need to be physically plugged into the network Remote access Coverage Personal Area Network (PAN) Local Area Network (LAN)
More informationSecurity Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2
BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution
More informationApplication Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
More informationLinux Access Point and IPSec Bridge
Tamkang Journal of Science and Engineering, Vol. 6, No. 2, pp. 121-126 (2003) 121 Linux Access Point and IPSec Bridge T. H. Tseng and F. Ye Department of Electrical Engineering Tamkang University Tamsui,
More informationALL1682511. 500Mbits Powerline WLAN N Access Point. User s Manual
ALL1682511 500Mbits Powerline WLAN N Access Point User s Manual Contents 1. Introduction...1 2. System Requirements...1 3. Configuration...1 4. WPS...9 5. Wireless AP Settings...9 6. FAQ... 15 7. Glossary...
More informationWi-Fi Client Device Security and Compliance with PCI DSS
Wi-Fi Client Device Security and Compliance with PCI DSS Originally Published: June 2008 Updated: January 2009, June 2010, October 2012 A White Paper from Laird Technologies Major payment card companies
More information802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS
APPLICATION NOTE Ref APNUS004 rev. A-0, March 08, 2007 802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS Why? In addition to MAC address filtering, ACKSYS products support a more reliable authentication
More informationWLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
More informationAuthentication and Security in IP based Multi Hop Networks
7TH WWRF MEETING IN EINDHOVEN, THE NETHERLANDS 3RD - 4TH DECEMBER 2002 1 Authentication and Security in IP based Multi Hop Networks Frank Fitzek, Andreas Köpsel, Patrick Seeling Abstract Network security
More informationA SURVEY OF WIRELESS NETWORK SECURITY PROTOCOLS
A SURVEY OF WIRELESS NETWORK SECURITY PROTOCOLS Jose Perez Texas A&M University Corpus Christi Email: jluisperez16@gmail.com Fax Number: (361) 825-2795 Faculty Advisor: Dr. Ahmed Mahdy, Texas A&M University
More informationCisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationWIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
WIRELESS SECURITY Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Wireless LAN Security Learning Objectives Students should be able
More informationHuawei WLAN Authentication and Encryption
Huawei WLAN Authentication and Encryption The Huawei integrated Wireless Local Area Network (WLAN) solution can provide all-round services for municipalities at various levels and enterprises and institutions
More informationClickShare Network Integration
ClickShare Network Integration Application note 1 Introduction ClickShare Network Integration aims at deploying ClickShare in larger organizations without interfering with the existing wireless network
More informationAll vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices
Wireless Security All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices Portability Tamper-proof devices? Intrusion and interception of poorly
More informationHow To Secure A Wireless Network With A Wireless Device (Mb8000)
MB8000 Network Security and Access Control Overview MB8000 employs almost all of the current popular WLAN security mechanisms. These include wireless-user isolation, closed system (by turning off SSID
More informationWiFi Security: WEP, WPA, and WPA2
WiFi Security: WEP, WPA, and WPA2 - security requirements in wireless networks - WiFi primer - WEP and its flaws - 802.11i - WPA and WPA2 (RSN) Why security is more of a concern in wireless? no inherent
More informationNew Avatars of Honeypot Attacks on WiFi Networks
New Avatars of Honeypot Attacks on WiFi Networks Prabhash Dhyani Wireless Security Researcher,Airtight Networks,Pune Email: prabhash.dhyani@airtightnetworks.com Abstract WiFi has become mainstream technology
More informationIndustrial Communication. Securing Industrial Wireless
Industrial Communication Whitepaper Securing Industrial Wireless Contents Introduction... 3 Wireless Applications... 4 Potential Threats... 5 Denial of Service... 5 Eavesdropping... 5 Rogue Access Point...
More informationCisco Secure Access Control Server 4.2 for Windows
Cisco Secure Access Control Server 4.2 for Windows Overview Q. What is Cisco Secure Access Control Server (ACS)? A. Cisco Secure ACS is a highly scalable, high-performance access control server that operates
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More information802.1x in the Enterprise Network
802.1x in the Enterprise Network Harrison Forest ICTN 6823 Abstract: This paper aims to provide a general over view of 802.1x authentication and its growing importance on enterprise networks today. It
More informationDOS ATTACKS IN INTRUSION DETECTION AND INHIBITION TECHNOLOGY FOR WIRELESS COMPUTER NETWORK
DOS ATTACKS IN INTRUSION DETECTION AND INHIBITION TECHNOLOGY FOR WIRELESS COMPUTER NETWORK ABSTRACT Dr. Sanjeev Dhull Associate Professor, RPIIT Karnal, Dept of Computer Science The DoS attack is the most
More informationEbonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science
Security Measures taken in Securing Data Transmission on Wireless LAN 1 AGWU C. O., 2 ACHI I. I., AND 3 OKECHUKWU O. 1 Department of Computer Science Ebonyi State University Abakaliki 2 Department of Computer
More informationWireless Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger. www.cse.psu.edu/~tjaeger/cse497b-s07/
Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ At the mall... Page 2 Wireless Networks Page 3 Network supported
More informationAnalysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal
Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal 1,2 Department of CSE 1,2,3 BRCM Bahal, Bhiwani 1 shenam91@gmail.com, 2 dkamal@brcm.edu.in Abstract This paper
More informationWLAN Information Security Best Practice Document
WLAN Information Security Best Practice Document Produced by FUNET led working group on wireless systems and mobility (MobileFunet) (WLAN security) Author: Wenche Backman Contributors: Ville Mattila/CSC
More informationRunning Head: WIRELESS NETWORKING FOR SMALL BUSINESSES. Wireless Networking for Small Businesses. Russell Morgan. East Carolina University
Wireless Networking for Small Businesses 1 Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES Wireless Networking for Small Businesses Russell Morgan East Carolina University Wireless Networking for
More information